Plan document protection settings in the 2007 Office system
Updated: February 12, 2009
Applies To: Office Resource Kit
This Office product will reach end of support on October 10, 2017. To stay supported, you will need to upgrade. For more information, see , Resources to help you upgrade your Office 2007 servers and clients.
Topic Last Modified: 2016-11-14
The 2007 Microsoft Office system contains several settings that enable you to control the way documents are encrypted. By using these settings, you can:
Specify the cryptographic service provider (CSP), cryptographic algorithm, and key length that are used to encrypt documents in Microsoft Office Excel 2007, Microsoft Office PowerPoint 2007, and Microsoft Office Word 2007.
Change the way sections of text are encrypted with the password protection feature in Microsoft Office OneNote 2007.
For detailed explanations of each encryption setting, see "Document protection settings" in Security policies and settings in the 2007 Office system.
As you plan your encryption settings, keep the following guidelines in mind:
There is no administrative setting that enables you to force users to encrypt documents.
There are separate encryption settings for files that are saved in the Office 97-2003 format and in the new Office Open XML Formats.
Disabling notifications in the Message Bar has no effect on encryption settings.
We recommend that you do not change the default CSP, cryptographic algorithm, or key length unless you are an expert in cryptography and encryption and your organization's security model requires encryption settings that are different from the default settings.
You can encrypt documents in only the following applications: Office Excel 2007, Office OneNote 2007, Office PowerPoint 2007, and Office Word 2007.
Saving documents in trusted locations has no effect on encryption settings. If a document is encrypted, and it is saved in a trusted location, a user must provide a password to open the document.
Although you can configure encryption settings to address a wide variety of scenarios, these settings are most commonly used to:
Change encryption settings for Office Excel 2007, Office PowerPoint 2007, and Office Word 2007.
Change the encryption settings for Office OneNote 2007.
Change encryption settings for Excel 2007, PowerPoint 2007, and Word 2007
To change the CSP, cryptographic algorithm, and key length that are used to encrypt documents in Office Excel 2007, Office PowerPoint 2007, and Office Word 2007, configure the settings that are listed in the following table.
| This setting | Enables you to do this |
|---|---|
Encryption type for password-protected Office Open XML files |
Specify a CSP, cryptographic algorithm, and key length for encrypted files that are saved in Office Open XML Formats. |
Encryption type for password-protected Office 97-2003 files |
Specify a CSP, cryptographic algorithm, and key length for encrypted files that are saved in the Office 97-2003 format. |
If you change the default settings for the CSP, cryptographic algorithm, and key length, be sure that:
Users have the proper support for the settings that you specify installed on their computers.
You record the settings in your security planning documents and in your security operations documents.
In addition, if your organization uses the Microsoft Office Compatibility Pack for Word, Excel, and PowerPoint File Formats to encrypt Office Open XML Formats files, you should review the following:
By default the Compatibility Pack uses the following settings to encrypt Office Open XML Formats files:
Microsoft Enhanced RSA and AES Cryptographic Provider (Prototype),AES 128,128 (on the Microsoft Windows XP Professional operating system).
Microsoft Enhanced RSA and AES Cryptographic Provider,AES 128,128 (on Microsoft Windows Server 2003 and Windows Vista operating systems).
Users are not notified that the Compatibility Pack uses these encryption settings.
The graphical user interface on earlier versions of the Office system might show incorrect encryption settings for Office Open XML Formats files if the Compatibility Pack is installed.
Users cannot use the graphical user interface in earlier versions of the Office system to change the encryption settings for Office Open XML Formats files.
If you use the Encryption type for password-protected Office Open XML files policy setting to change encryption settings, and the policy setting is applied to a computer on which the Compatibility Pack is installed, the Compatibility Pack will encrypt Office Open XML Formats files with the encryption settings that you specified in the Encryption type for password-protected Office Open XML files policy setting.
Change encryption settings for OneNote 2007
The 2007 Office system provides several settings that enable you to change the way that the password protection feature works in Office OneNote 2007. Although you can configure these settings for numerous different scenarios, these settings are most commonly used to:
Prevent users from using the password protection feature to encrypt sections of text.
Strengthen password protection feature settings.
Prevent users from encrypting sections of text
To prevent users from encrypting newly created notes in Office OneNote 2007, use the settings that are listed in the following table.
| Setting name | Recommended configuration | Description |
|---|---|---|
Disable password-protected sections |
Select this option: Disabled |
By default, encrypted sections are enabled. When you enable this configuration option, users cannot:
When this option is selected, users can still enter a password to access sections of text that are encrypted. |
If you enable this setting, be sure that you:
Notify users that they cannot use the password protection feature to encrypt sections of text.
Record the settings in your security planning documents and in your security operations documents.
Strengthen password protection feature settings
To strengthen the password protection feature settings for Office OneNote 2007, use the settings that are listed in the following table.
| Setting name | Recommended configuration | Description |
|---|---|---|
Disallows add-ons access to password protected section |
Select this option: Enabled |
By default, add-ins can access encrypted sections of text that are unlocked. Selecting this option prevents add-ins from accessing encrypted sections of text even when the text is unlocked by a user. |
Lock password protected sections as soon as I navigate away from them |
Select this option: Enabled |
By default, encrypted sections of text remain unlocked for a period of time after a user enters a password to unlock the text. Selecting this option ensures that encrypted sections of text become locked as soon as a user navigates away from the text. |
If you change these settings from their default state, be sure that you:
Notify users about the more restrictive settings.
Record the settings in your security planning documents and in your security operations documents.
Download this book
This topic is included in the following downloadable book for easier reading and printing:
See the full list of available books at Downloadable content for the 2007 Office Resource Kit.